Security guru Steve Gibson offers a clever passphrase evaluator page, including some general guidance on practical ways to create “real world useable” passwords.
Every password you use can be thought of as a needle hiding in a haystack. After all searches of common passwords and dictionaries have failed, an attacker must resort to a “brute force” search – ultimately trying every possible combination of letters, numbers and then symbols until the combination you chose, is discovered.
This is quite different from typical “password strength” evaluators, which examine entropy (how random are the characters in your proposed string).
We will be changing some passphrases based on Steve’s insights.
BTW, don’t forget that password crackers know how to build test phrases by combining dictionary words with white space. So a string of lower case words separated by spaces is secure if it is a really long phrase (easy to do with Steve’s methodology). A good idea to vary the whitespace too.
The relevant podcast is Security Now #303, which includes some useful commentary on Mac OS X security issues.